configuring SSL for windows replication
On 4/06/2011 8:00 a.m., Rich Megginson wrote:
> On 06/03/2011 01:38 PM, solarflow99 wrote:
>> For self signed certs, as I understand it, the 389 supplier that has the CA
>> must create a server cert for the windows host? How can this cert be
>> exported/imported since windows doesn't use pk12util? Has anyone set this up,
>> and can say the steps on windows 2008? I see there are many options for
>> installing IIS and Microsoft CA.
> That's the easiest way to generate an SSL server cert for MS AD - Install MS CA
> as an Enterprise Root CA - it will automatically issue the AD server cert.
> Otherwise, look here http://directory.fedoraproject.org/wiki/Howto:WindowsSync -
> you can use mmc with the Certificates snap-in to import/export certs and pkcs12
The procedure to generate the certificate request is outlined here
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 which is
referenced from the howto Rich mentions.
Here's something that may catch you out. When you use certreq on the Windows
server to generate a certificate request, it generates a corresponding key for
that request (storing it in the Documents and Settings hierarchy). If for any
reason, you need to generate another certificate, do NOT re-use the request file
(the .req file) you already have, you have to generate a new request.
If, and only if, your windows domain is running at 2008 Functional level, the
best place to put the CA certificate is in the NTDS service's certificate store
(as outlined at the bottom of the Knowledge Base article above). Otherwise
import it into the local computer account's personal store
>> 389 users mailing list
> 389 users mailing list
389 users mailing list